\chapter{Security and Authentication}

The security and privacy of Ringer is built transparently on top of the GNU Transport Layer Security Library (GnuTLS)\cite{gnutls}. 
GnuTLS intercepts data streams at the TCP socket level; transmitted data is encrypted and compressed on its way out and decrypted and decompressed when it is received at the other end.
A handshake protocol is used to negotiate a cypher and authenticate both the client and server.
By default, Ringer uses a relaxed protocol which promotes interoperability. 
If a non-encrypted client (server) asks to connect to a encrypted server (client) the encryption will be dropped and the connection made in the clear. 
This behavior is customizable, and Ringer can enforce encryption if security is a priority over flexibility.

%The addition of GnuTLS to Thrift  is a custom extension which we created. 
%Source code is available upon request.
%GnuTLS is an extension to the Thrift transport library, and works as anther layer between the application and the TCP socket.

The GnuTLS library allows for both X.509 and OpenPGP based authentication; Ringer uses the PGP model.
 
%Each user (i.e. Ringer client or Metadata Server) creates their own PGP certificate.
%In this model, there is no centralized authority which dictates which certificates are trusted. 
%Instead, individual users can choose which certificates to trust.
%They then sign those certificates. 
%Each user also chooses which other users will act as ``introducers''.
%If a signature of a user trusted to be an introducer is found on a certificate, then that certificate is presumed to be authentic.
%If Alice trusts Bob to be an introducer, by extension Alice also trusts all of the certificates Bob has signed to be authentic.

Trust in Ringer flows uphill, in the sense that clients trust their MDS to be a trusted introducer and MDSs trust their parents to be trusted introducers.
Trust is not recursive, and because a certificate is trusted (but not signed) by a parent MDS does not mean that the child MDS will trust the certificate.
Therefore, whenever a MDS receives a certificate to sign, it passes it up to all of its parents to sign as well.

\begin{figure}[htbp]
\begin{center}
\includegraphics[width=0.48\textwidth]{graphs/network-trust}
\caption{In Ringer, trust flows uphill. Parents are trusted introducers, children are not. In this example, Alice and Bob are introduced to each other by Charlie.}
\label{trust}
\end{center}
\end{figure}

An example of how this all works is seen in Figure \ref{trust}.
Alice wants to communicate with Bob, but they do not share a common top level MDS.
However, both Alice and Bob do trust Charlie to be an introducer and Charlie has singed both Alice and Bob's certificates. 
Therefore, when Alice and Bob send each other their certificates, they both see that they are being introduced by a trusted introducer.

%\subsection{Permissions}

Ringer supports {\tt user/group/all} style read and write permissions.
These are set using the Unix {\tt chmod} command.
Permissions can only be changed by the client which owns the file. 
All users on the same host machine are considered part of the same group; adding and managing new groups is left for future work.
Each client is identified uniquely by their machine's host-name and local user id.



